Options expand for online authentication

Five years can be a lifetime in IT, and the online world has changed since the National Institute of Standards and Technology published its guidelines for authenticating identity online in 2006.

The current version of Special Publication 800-63 Electronic Authentication Guideline is quite out of date, said NIST computer scientist Tim Polk, manager of the Computer Security Division’s Cryptographic Technology Group. “People have been waiting a long time for the new version to come out. It’s just old.”

Authentication means ensuring that a person or machine accessing online resources is who he, she, or it claims to be, so that the appropriate access can be granted. How this is done depends largely on the technology being used for access and the sensitivity of the resources being accessed. As the online world becomes more interactive, distributed and mobile, tools for authentication are changing.


Related content:

CDC moves disease surveillance system to the cloud

Need a way to control network access? Government already has it.

Proposed laws on ID tech take privacy to the extreme



A new draft of a revised SP 800-63 was released earlier this year by NIST to address some of the major changes. The proposed revision provides technical guidelines for remote authenticate to a federal IT system. They address only traditional, widely implemented authentication technology, but these have changed since 2006.

“There is a much greater use of assertion technology today,” Polk said.

Under older models, each server offering content would maintain its own user accounts and credentials and do its own authentication. “When you only had a few apps that you needed a password for, it was easy to keep track of them,” Polk said.

As infrastructure became more complex, public-key infrastructure made it practical for accounts to be maintained on one server while the content server continued to do its own authentication. In today’s dynamic environment, authentication can be entirely outsourced and the validated identity passed as an assertion to content servers.

Although SAML, the Security Assertion Markup Language, was emerging in 2006, it was not widely used in government at that time. “Assertion provides scalability,” Polk said. “That is probably the biggest change.”

Mobile authentication tools

But there also are new, mobile tools in the hands of users that can be leveraged for authentication. One-time passwords can be sent out-of-band to a user’s cell phone, for instance. Cell phones were not new in 2006, but they were not as common as they are today, and NIST guidelines did not address this technique. “Six years later, it’s hard to find users who don’t have a cell phone,” Polk said.

For transactions within government, a standard for identity management and authentication is emerging in the Personal Identity Verification card, the civilian government ID card that contains digital certificates for use in both logical and physical access. PIV is another technology that was emerging in 2006 and which has since become ubiquitous, at least in government.

But although most government employees have a PIV card, they are not yet broadly supported by the technology. “The problem now is getting applications developed to support them,” Polk said.

The Office of Management and Budget defines four levels of authentication in terms of the consequences of the authentication errors and misuse of credentials, with Level 1 being the lowest assurance. The PIV card offers the highest level of assurance at Level 4, with biometrics and digital certificates that can be used to authenticate the holder using PKI.

But even broad support of the PIV card will only solve the authentication puzzle within the federal government and with some contractors. It will never become a general issue tool because it is government-specific. “We are not going to issue PIV cards to citizens,” Polk said.

ID card interoperability

However, PIV Interoperability standards have been developed to allow the private sector to develop cards that can be trusted by government. “I think we are going to find, as more PIV-enabled applications come online, the PIV Interoperable card will get more traction,” Polk said.

This could be a practical tool for first responders in state and local government and critical industries who need to communicate and cooperate with federal officials in emergencies. Because they would operate at Level 4 assurance, PIV-I cards could be used in the most sensitive situations.

But Level 4 assurance comes at a cost, and PIV-I cards probably would not be cost effective for the general public. “Many other activities don’t require that same level of security, so I would expect other mechanisms to be selected,” Polk said.

The more ID cards, passwords and tokens we have to manage, the more difficult it is to manage them, both for the holder and the content provider. The ideal solution would be for everyone to have one credential, certified to the highest level of assurance he or she needs, which would be interoperable and accepted everywhere.

“I expect we will never get to that,” Polk said.

Reader Comments

Fri, Jul 29, 2011 Sarah

You mention the option of sending one-time passwords and authentication codes to peoples' mobile phones. With the pervasiveness of mobile phones today, this is a good option and is very convenient for users (who generally have their phone near them at all times anyway). However, the act of sending the authentication codes in plain text as an SMS text message (as most do) is no longer secure. A variant of the Zeus malware is used by cybercriminals to both steal the login credentials for the online accounts and intercept the authentication text messages that the website attempts to send the user (called a Zeus-in-the-mobile attack). A better approach is to deliver a type of knowledge-based or image-based authentication challenge to the user's mobile phone so that even if the communication is intercepted, it requires some secret knowledge from the legitimate user in order to complete the authentication. You can see an example of one such approach here: http://youtu.be/kMj-9wLWptg

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above